custom nss module

kkarun · 11-27-2015, 08:41 AM

Hello Everyone,

I am trying to add a new service to nsswitch module named “templateuser” under password database. I am currently using this SO(shared object) to provide identity for users configured under radius and tacacs servers for authentication purpose. The getpwnam_r method has been overridden to retrieve the result “passwd structure” for each unknown user. This is working fine for us.

Reference i followed is : http://www.linuxquestions.org/questi...module-904131/

The main problem arises only on running the linux command “getent <database-name>”, which runs infinitely(never ends). Methods such as endpwent, setpwent and getpwent_r are overridden to retrieve the entries from this service(in this case it is just the remote “templateuser”).

One thing to note is that “getent passwd<database> <username>” works fine. Pls share your thoughts on the implementation of these overridden methods

Code:

enum nss_status _nss_templateuser_endpwent(void)
{
        syslog(LOG_DEBUG, "_nss_templateuser_endpwent() called. from void template_user");
        if (template_user) {
                free(template_user);
                template_user = NULL;
        }
        return NSS_STATUS_SUCCESS;
}

enum nss_status _nss_templateuser_setpwent (void)
{
        syslog(LOG_DEBUG, "_nss_templateuser_setpwent() called. setpwent ");
        return NSS_STATUS_SUCCESS;
}

enum nss_status _nss_templateuser_getpwent_r(struct passwd *pwbuf, char *buf,
                      size_t buflen, struct passwd **pwbufp)
{
       // my implementation of password structure population
        return NSS_STATUS_SUCCESS;
}

Am i missing some additional implementation, please suggest.

Thanks,
Arun

jpollard · 11-27-2015, 10:56 PM

Not familiar with nss, but wouldn't this always leave template_user NULL.... even though authenticated? It is possible the application is waiting for a valid user.

kkarun · 11-30-2015, 04:18 AM

Hi,

The _nss_templateuser_endpwent takes void arguments and doesn't return or populate password structures. So assigning a NULL to a local variable[template_user] may not be an issue really (Correct me if i'm wrong!, ref this http://man7.org/linux/man-pages/man3/getpwent.3.html).

The actual password structure population is in _nss_templateuser_getpwent_r, which i copied below.

Code:

enum nss_status _nss_templateuser_getpwent_r(struct passwd *pwbuf, char *buf,
                      size_t buflen, struct passwd **pwbufp)
{
        pwbuf->pw_uid = nss_templateuser_getuid(template_user);
        pwbuf->pw_name = template_user;
        pwbuf->pw_dir = "/var/home/myuser";
        pwbuf->pw_shell = "/myownshell"; /* added for testing purpose */
        pwbufp=&pwbuf;
        return NSS_STATUS_SUCCESS;
}

The _nss_templateuser_getpwent_r is implemented based on http://man7.org/linux/man-pages/man3/getpwent_r.3.html is not invoked when we do a "getent" from shell. For testing we added sample syslogs to verify whether the method is being invoked, but it didn't help.

We are not sure, what are all the methods being invoked by the command getent which loops infinitely for us. Any help/info is much appreciated.

Thanks,
Arun

jpollard · 11-30-2015, 11:49 AM

And what happens to "nss_templateuser_getuid(template_user)" when template_user is NULL, and the pwbuf->pw_name is NULL?

If you are setting the home and shell parameters for testing, shouldn't you also set the uid and name for testing?

kkarun · 12-08-2015, 11:15 PM

Hi pollard,

The template_user is statically assigned with remote value in the beginning of the program. Only in _nss_templateuser_endpwent it is assigned back to NULL just to free the unused space. I guess the endpwent will be called at the end of getent execution. Sample code for the static allocation of template_user.

/** Holds a temporary user name. */
static char *template_user = "xyz";
size_t size = 150;

For getuid method we have separate implementation which retrieves the uid of the "xyz" user(which works fine for us). The main problem is the infinite looping of getent linux command.

Thanks,
Arun

jpollard · 12-09-2015, 04:28 AM

Quote:

Originally Posted by kkarun

Hi pollard,

The template_user is statically assigned with remote value in the beginning of the program. Only in _nss_templateuser_endpwent it is assigned back to NULL just to free the unused space. I guess the endpwent will be called at the end of getent execution. Sample code for the static allocation of template_user.

/** Holds a temporary user name. */
static char *template_user = "xyz";
size_t size = 150;

For getuid method we have separate implementation which retrieves the uid of the "xyz" user(which works fine for us). The main problem is the infinite looping of getent linux command.

Thanks,
Arun

Based on the code supplied... template_user is set to NULL, and the string deallocated (which is an error in the static case you report. And that seems to contradict what you say here.

BTW, a static declaration is not exported to other modules.

If _nss_templateuser_getpwent_r is supposed to get a new entry, then SOMETIME it must not return success...

Yet your code again shows it always returning NSS_STATUS_SUCCESS. Thus anything testing for the end of the list will never terminate.

The command line getent returns a single list of the entries identified. Invoke it again and you get another list. The command works just fine, it terminates normally and cannot do anything else.

kkarun · 01-07-2016, 04:39 AM

Hi jpollard,

Thanks a lot for your valuable suggestions. One of our mistakes was the deallocation of template_user which was previously statically assigned with "remote".

We did enough testing and found out the root cause for the issue too, the mapping for this was also missing under lib folder. Now getent is working fine and thanks for your continuous help provided.

Thanks,
Arun